This repository contains containerfiles for building signed container images optimized for use with distrobox and toolbox. The containers are cryptographically signed for enhanced security and can be safely used on security-enhanced systems like secureblue.

Inspired by ublue-os/boxkit, this project provides a streamlined approach to creating and maintaining custom container images with proper signing infrastructure.

This project provides both pre-built signed images and a framework for creating your own custom signed containers.

• Podman or Docker
• Distrobox or Toolbox

# Using distrobox
distrobox create --image ghcr.io/marpogaus/arch:latest --name arch-dev

# Using toolbox
toolbox create --image ghcr.io/marpogaus/arch:latest arch-dev

If you’re running secureblue or similar security-enhanced distributions that enforce container signing policies, you’ll need to configure your system to trust the container signatures.

1. Create a registry configuration file:

   mkdir -p $HOME/.config/containers/registries.d
   cat > $HOME/.config/containers/registries.d/ghcr.io-marpogaus.yaml << EOF
    docker:
      ghcr.io/marpogaus:
        use-sigstore-attachments: true
    EOF
       

2. Update your container policy to allow signed images from this repository:

   # Backup existing policy
   cp /etc/containers/policy.json $HOME/.config/containers/policy.json.bak
   
   jq '.transports.docker["ghcr.io/marpogaus"] = [{"type": "sigstoreSigned", "keyPath": "/etc/pki/containers/marpogaus-cosign.pub", "signedIdentity": {"type": "matchRepository"}}]' $HOME/.config/containers/policy.json.bak > $HOME/.config/containers/policy.json
       

3. Download and install the public key:

   # Create directory for custom keys
   sudo mkdir -p $HOME/.config/pki/containers
   
   # Download the public key
   curl -o cosign.pub https://raw.githubusercontent.com/marpogaus/containerfiles/main/cosign.pub
   
   # Install the key
   sudo cp cosign.pub $HOME/.config/pki/containers/marpogaus-cosign.pub
       

For rootful Containers container access, you’ll need to modify the system policy directly.

To fork this repository and create your own signed container images:

1. Fork this repository to your GitHub account
2. Add your containerfiles to the repository:
   • Create directories for each image (e.g., myimage)
   • Add Dockerfile to each directory
   • Ensure your Dockerfile includes the toolbox/distrobox label:

     LABEL com.github.containers.toolbox="true" \
           usage="This image is meant to be used with the toolbox or distrobox command"
             

3. Update the build matrix in .github/workflows/docker-publish.yml:

   strategy:
     matrix:
       containerfile:
         - ...            # existing images
         - myimage        # your new image
         - anothername    # another image
       

4. Set up container signing (highly recommended):

   a. Install cosign locally:

   b. Generate signing keys:

   cosign generate-key-pair
   # Press Enter when asked for password (leave empty)
       

   c. Add the private key to GitHub secrets:

   • Go to your repository Settings → Security → Secrets and variables → Actions
   • Create a new secret named SIGNING_SECRET
   • Copy the contents of cosign.key into the secret value
   • Never share or commit the =cosign.key= file

   d. Replace the public key in the repo with your new one .

5. Push your changes and GitHub Actions will automatically build and sign your images

Any contributions are greatly appreciated! If you have a question, an issue or would like to contribute, please read our contributing guidelines.

Distributed under the Apache License 2.0.

Marcel Arpogaus - [email protected] (encrypted with ROT13)

Project Link: https://github.com/marpogaus/containerfiles

• ublue-os/boxkit - Inspiration and foundation for this project
• secureblue - Security-enhanced Linux distribution
• distrobox - Container-based development environments
• toolbox - Container-based development and debugging
• Sigstore - Container signing infrastructure